2017-11-08 - HANCITOR MALSPAM - SUBJECT: RE: IPHONE X PRE-ORDER
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-11-08-Hancitor-malspam-traffic.pcap.zip 808 kB (808,249 bytes)
- 2017-11-08-Hancitor-malspam-traffic.pcap (1,024,590 bytes)
- Zip archive of the malware: 2017-11-08-Hancitor-malspam-and-artifacts.zip 217 kB (217,457 bytes)
- 2017-11-08-Hancitor-malspam-1648-UTC.eml (1,190 bytes)
- 2017-11-08-Hancitor-malspam-1708-UTC.eml (1,163 bytes)
- 2017-11-08-Hancitor-malspam-1735-UTC.eml (1,153 bytes)
- 2017-11-08-Hancitor-malspam-1835-UTC.eml (1,147 bytes)
- search.json.exe (150,016 bytes)
- tracking_info_760613.doc (186,368 bytes)
NOTES:
- On this Twitter thread, some security professionals discuss today's Hancitor malspam.
- See this Pastebin page for some domains and URLs not included in this blog post.
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2017-11-08 as early as 16:48 UTC through at least 17:35 UTC
- Subject: RE: iPhone X pre-order
- From: "SOUL Electronics USA" <order@soulelectronics.com>
- Received: from soulelectronics.com ([104.201.90.210])
- Received: from soulelectronics.com ([12.30.76.186])
- Received: from soulelectronics.com ([136.61.93.165])
- Received: from soulelectronics.com ([173.57.217.100])
- Received: from soulelectronics.com ([187.157.157.210])
- Received: from soulelectronics.com ([203.115.6.50])
- Received: from soulelectronics.com ([207.150.242.6])
- Received: from soulelectronics.com ([207.188.230.106])
- Received: from soulelectronics.com ([209.208.210.100])
- Received: from soulelectronics.com ([43.229.227.26])
- Received: from soulelectronics.com ([46.120.81.165])
- Received: from soulelectronics.com ([47.190.52.75])
- Received: from soulelectronics.com ([69.42.242.226])
- Received: from soulelectronics.com ([69.85.254.82])
- Received: from soulelectronics.com ([70.118.115.26])
- Received: from soulelectronics.com ([70.35.235.156])
- Received: from soulelectronics.com ([74.80.8.126])
- Received: from soulelectronics.com ([75.150.209.37])
- Received: from soulelectronics.com ([76.249.243.118])
- Received: from soulelectronics.com ([97.75.106.38])
- Received: from soulelectronics.com (107-1-172-100-ip-static.hfc.comcastbusiness.net [107.1.172.100])
- Received: from soulelectronics.com (216-241-61-98.static-ip.telepacific.net [216.241.61.98])
- Received: from soulelectronics.com (23-24-137-153-static.hfc.comcastbusiness.net [23.24.137.153])
- Received: from soulelectronics.com (50-242-52-169-static.hfc.comcastbusiness.net [50.242.52.169])
- Received: from soulelectronics.com (50-250-6-25-static.hfc.comcastbusiness.net [50.250.6.25])
- Received: from soulelectronics.com (50-250-94-177-static.hfc.comcastbusiness.net [50.250.94.177])
- Received: from soulelectronics.com (50-253-24-11-static.hfc.comcastbusiness.net [50.253.24.11])
- Received: from soulelectronics.com (64.50.123.147.ptr.us.xo.net [64.50.123.147])
- Received: from soulelectronics.com (65.23.16.178.nw.nuvox.net [65.23.16.178])
- Received: from soulelectronics.com (74-95-66-202-Minnesota.hfc.comcastbusiness.net [74.95.66.202])
- Received: from soulelectronics.com (75-138-226-161.dhcp.jcsn.tn.charter.com [75.138.226.161])
- Received: from soulelectronics.com (75-148-212-67-Houston.hfc.comcastbusiness.net [75.148.212.67])
- Received: from soulelectronics.com (96-38-75-90.static.jcsn.tn.charter.com [96.38.75.90])
- Received: from soulelectronics.com (96-88-142-22-static.hfc.comcastbusiness.net [96.88.142.22])
- Received: from soulelectronics.com (cmr-208-124-161-114.cr.net.cable.rogers.com [208.124.161.114])
- Received: from soulelectronics.com (cpe-static-negastroenterologyofhonesdale-rtr.cmts.haw.ptd.net [24.238.61.74])
- Received: from soulelectronics.com (email.howlandpump.com [69.193.107.42])
- Received: from soulelectronics.com (hlfxns0169w-142-176-102-132.pppoe-dynamic.high-speed.ns.bellaliant.net [142.176.102.132])
- Received: from soulelectronics.com (host-192-111-78-73.EPSOLT4.epbfi.com [192.111.78.73])
- Received: from soulelectronics.com (mail.allpointswasteservice.com [98.101.85.218])
- Received: from soulelectronics.com (mail.consigliandbrucato.com [98.118.62.186])
- Received: from soulelectronics.com (mail.knoxhousing.org [75.149.219.189])
- Received: from soulelectronics.com (mail.lehrmiddlebrooks.com [74.254.232.226])
- Received: from soulelectronics.com (mail.pba1873.com [99.124.239.57])
- Received: from soulelectronics.com (mail.thebellcenter.org [97.78.63.250])
- Received: from soulelectronics.com (rrcs-24-213-182-28.nyc.biz.rr.com [24.213.182.28])
- Received: from soulelectronics.com (rrcs-67-52-227-178.west.biz.rr.com [67.52.227.178])
- Received: from soulelectronics.com (rrcs-70-63-4-86.central.biz.rr.com [70.63.4.86])
- Received: from soulelectronics.com (static-68-236-120-88.bstnma.east.verizon.net [68.236.120.88])
- Received: from soulelectronics.com (static-71-175-81-126.phlapa.fios.verizon.net [71.175.81.126])
- Received: from soulelectronics.com (static-72-87-95-7.prvdri.fios.verizon.net [72.87.95.7])
- Received: from soulelectronics.com (static-98-118-52-168.bstnma.fios.verizon.net [98.118.52.168])
- Received: from soulelectronics.com (wsip-184-176-151-108.ph.ph.cox.net [184.176.151.108])
- Received: from soulelectronics.com (wsip-184-183-13-36.ph.ph.cox.net [184.183.13.36])
- Received: from soulelectronics.com (wsip-70-184-164-23.hr.hr.cox.net [70.184.164.23])
- Received: from soulelectronics.com (wsip-98-191-199-122.ok.ok.cox.net [98.191.199.122])
Shown above: Clicking on a link from one of the emails.
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
LINKS IN THE EMAILS TO THE WORD DOCUMENT:
- hxxp://attorneylove.com
- hxxp://captainspeedy.com
- hxxp://johnsanna.com
- hxxp://mobileevolution.net
- hxxp://nominateattorneys.com
- hxxp://phonefix.guru
- hxxp://phonefix.repair
- hxxp://topattorneysofna.com
- hxxp://whoswhodirectories.com
- hxxp://wwdirectories.com
NETOWRK TRAFFIC FROM MY INFECTED LAB HOST:
- 45.76.92.24 port 80 - phonefix.guru - GET /
- port 80 - api.ipify.org - IP address check by the infected Windows host
- 185.187.90.38 port 80 - parhecotevent.com - POST /ls5/forum.php
- 185.187.90.38 port 80 - parhecotevent.com - POST /mlu/forum.php
- 185.187.90.38 port 80 - parhecotevent.com - POST /d2/about.php
- 27.254.142.193 port 80 - bamrungrak.ac.th - GET /wp-content/plugins/disable-comments/1
- 27.254.142.193 port 80 - bamrungrak.ac.th - GET /wp-content/plugins/disable-comments/2
- 27.254.142.193 port 80 - bamrungrak.ac.th - GET /wp-content/plugins/disable-comments/3
- 185.174.173.6 port 443 - henfobuthis.com - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- port 80 - google.com - Connectivity check by Zeus Panda Banker
- port 80 - www.google.com - Connectivity check by Zeus Panda Banker
- port 443 - www.google.com - Connectivity check by Zeus Panda Banker
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 45ce33d3461844999b883db1b54a51a37ac85115f17aea24906be23362562235
File name: tracking_info_[six random digits].doc (for example: tracking_info_760613.doc)
File size: 186,368 bytes
File description: Microsoft Word document with malicious macro for Hancitor
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 477ee5f96261a841dac846a4ad22520db4f9630edf3082f23846f70642d3bff3
File location: C:\Users\[username]\AppData\Roaming\[random existing path]\[random name].exe
File size: 150,016 bytes
File description: Zeus Panda Banker
IMAGES
Shown above: Zeus Panda Banker made persistent on the infected host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-11-08-Hancitor-malspam-traffic.pcap.zip 808 kB (808,249
- Zip archive of the malware: 2017-11-08-Hancitor-malspam-and-artifacts.zip 217 kB (217,457 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.